[00:00.000 --> 00:07.420]  Let me share my screen here and I'm going to start to go again.
[00:11.660 --> 00:14.460]  Just in case, I'm going to share the whole screen.
[00:14.800 --> 00:16.960]  I never know where I'm going to end up.
[00:24.700 --> 00:26.120]  Let me go there.
[00:32.610 --> 00:35.390]  And that's showing here again. Oh, well, of course it is.
[00:35.390 --> 00:38.850]  Okay. So, first of all, welcome to this session.
[00:39.070 --> 00:43.630]  I'd like to talk about Global Navigation Satellite Systems
[00:43.630 --> 00:45.930]  and Automatic ID Systems Spoofing.
[00:46.610 --> 00:49.970]  A lot of this has been in the news, certainly for a couple of years.
[00:49.970 --> 00:51.770]  I mean, none of this that I'm going to talk about...
[00:51.770 --> 00:53.850]  well, most of it is not brand new.
[00:53.850 --> 00:56.290]  But I want to talk a little bit about GPS spoofing
[00:56.290 --> 00:59.890]  and then evolve that into AIS spoofing as well.
[01:00.250 --> 01:07.130]  So, on an integrated nav system on a boat,
[01:07.130 --> 01:11.970]  and I've been fortunate enough to be able to walk through some really big boats,
[01:11.970 --> 01:15.030]  although I spend most of my time on pretty small boats.
[01:15.870 --> 01:19.250]  The key issue that I want to say,
[01:19.250 --> 01:21.670]  and this is not going to come as a surprise to any of you,
[01:21.670 --> 01:29.290]  is that GPS plays a big role in situational awareness for a boat.
[01:29.750 --> 01:33.630]  On their chart display, on their chart radar,
[01:33.630 --> 01:37.210]  them just knowing where they are relative to other things.
[01:37.210 --> 01:40.410]  Of course, AIS is huge in understanding,
[01:40.410 --> 01:42.710]  not only just seeing that there's a target out there,
[01:42.710 --> 01:44.470]  but knowing something about the target,
[01:44.470 --> 01:48.310]  which is information that radar, of course, won't give you, can't give you.
[01:48.730 --> 01:53.550]  And then AIS itself, of course, and everything in the integrated nav system,
[01:53.550 --> 01:58.230]  pulling together all of your chart downloads, your chart updates,
[01:58.230 --> 02:00.130]  by the way, these are hacking vectors,
[02:00.130 --> 02:04.750]  all of the sensors on a boat so that you can be producing your own messages,
[02:04.750 --> 02:06.370]  giving situational awareness.
[02:06.370 --> 02:11.550]  Anyway, the whole point is that GPS and AIS are highly intertwingled.
[02:12.350 --> 02:18.630]  Now, again, I'm going to assume that most of you are familiar with at least part of this,
[02:18.630 --> 02:25.070]  but just in case, there are four major global navigation satellite systems.
[02:25.070 --> 02:29.750]  There's BeiDou in China, Galileo is the European Union, GLONASS in Russia,
[02:29.750 --> 02:31.870]  and, of course, our GPS.
[02:31.870 --> 02:33.610]  There are a couple of regional systems.
[02:33.610 --> 02:37.450]  India has something called NAVIC. Japan has something called QZSS.
[02:37.990 --> 02:43.450]  All of these systems use medium Earth orbit satellites,
[02:43.450 --> 02:48.430]  and they're all using different constellations.
[02:48.810 --> 02:54.250]  And, you know, as this chart is trying to show, or at least give you an idea,
[02:54.250 --> 03:00.890]  you can see that the four GNSS satellites are at different altitudes,
[03:00.890 --> 03:06.230]  you know, from the Earth, and then, of course, their orbital circumference as well.
[03:06.510 --> 03:14.510]  The periods range for the different satellite networks from, you know, 11 to 14 hours for one cycle.
[03:14.510 --> 03:18.310]  But one of the keys is also, look how far away they are.
[03:18.310 --> 03:21.250]  I mean, you're talking 12 to 15,000 miles.
[03:21.370 --> 03:26.230]  Now, the only comment I want to make about that is sort of obvious, but I'll make it later,
[03:26.230 --> 03:34.370]  is the signal strength that is coming from a satellite 15,000 miles away is not terribly strong once it gets to the Earth.
[03:34.370 --> 03:38.090]  That will be an important part when we think about jamming.
[03:39.330 --> 03:47.230]  So when we talk about GNSS systems, we always talk about the space segment, control segment, and the user segment.
[03:47.310 --> 03:50.590]  The space segment is, of course, the satellites themselves.
[03:50.590 --> 03:53.250]  The user segment is the user equipment.
[03:53.250 --> 04:01.510]  So here we've got, you know, this happens to be a GPS antenna, but any GNSS system would work.
[04:01.670 --> 04:06.190]  So I've got a GNSS antenna connected to my GNSS receiver and display.
[04:06.190 --> 04:12.790]  The GNSS information might be now connected to other devices in that integrated nav system, and we'll talk about that.
[04:13.730 --> 04:16.030]  And then we've got the control segment.
[04:16.050 --> 04:22.250]  And the control segment, of course, this is stuff that we as users don't really have much to do with.
[04:22.250 --> 04:24.830]  But here's where you have the master control stations.
[04:24.830 --> 04:29.710]  You have a variety of ground antennas, a whole bunch of monitoring and tracking stations.
[04:29.710 --> 04:37.790]  But this is what is managed by, well, currently, if it's GPS, is managed by U.S. Space Force.
[04:40.400 --> 04:45.240]  So what this slide is talking about is this.
[04:45.960 --> 04:55.120]  And most of you, if you've played around with GPS, and particularly with any GPS app that tells you how many satellites you're seeing and all those kind of things,
[04:55.120 --> 05:03.060]  the GPS constellation, for example, requires, I believe, 24 satellites to be operational.
[05:03.220 --> 05:08.880]  We have 30. The extra six are basically backup in case one of the other ones fails.
[05:09.220 --> 05:13.100]  For you to get a fix, you need to be able to see at least four of them.
[05:15.140 --> 05:19.800]  So global nav systems all work by using trilateral rating.
[05:19.820 --> 05:27.700]  So I have my receiver, and I can figure out how far am I from three of the satellites.
[05:27.880 --> 05:35.680]  And if I can figure out how far and at what angle I am from the three satellites, I can, you know, trilateral rate.
[05:35.680 --> 05:40.260]  That's probably not really a word. I can triangulate my position based on that.
[05:40.260 --> 05:43.060]  So it's basically passive range funding.
[05:43.060 --> 05:46.340]  And so here's the next point that I just made earlier.
[05:46.380 --> 05:49.640]  These signals are being sent down at 50 watts.
[05:49.640 --> 05:53.700]  They are minuscule, hardly measurable when they hit the earth.
[05:54.240 --> 06:00.080]  This is why GPS jamming is very simple to accomplish.
[06:00.200 --> 06:03.000]  All I need is a signal on the right frequency.
[06:03.000 --> 06:07.020]  It's even a few watts, and I can blast out the GPS signal.
[06:07.020 --> 06:12.460]  It's also trivial to detect when GPS jamming is being used.
[06:12.460 --> 06:17.000]  So if you want to do surreptitious GPS jamming, you have a slightly harder problem.
[06:17.520 --> 06:20.720]  And, well, that's not why I'm here.
[06:20.720 --> 06:29.160]  But in any case, GPS transmits in the ultra high frequency band.
[06:29.420 --> 06:34.780]  GPS in particular, and actually GLONASS as well, use the L band.
[06:35.440 --> 06:40.140]  And all of the satellites are sharing the same frequency.
[06:40.240 --> 06:43.100]  They're doing it with co-division multiple access.
[06:43.140 --> 06:45.980]  We'll talk about CDMA in just a second.
[06:45.980 --> 06:57.180]  And the way in which you can differentiate the different satellite transmissions is because each satellite is assigned what's called a pseudorandom noise sequence.
[06:57.180 --> 07:01.780]  It's just a pseudorandom set of zeros and ones.
[07:01.780 --> 07:06.420]  Each satellite has its own PRN code.
[07:06.420 --> 07:09.040]  We know what the PRN codes are.
[07:09.040 --> 07:15.740]  So when you're receiving a signal, you can detect the PRN code and you know what satellite is communicating to you.
[07:15.880 --> 07:21.680]  Now, as a side note of history, I would like to point out that CDMA actually is an old idea.
[07:21.740 --> 07:28.480]  It was invented in the early 1940s by a musician named George Antheil and the actress Hedy Lamarr.
[07:28.480 --> 07:33.220]  Hedy Lamarr was responsible for a bunch of interesting inventions.
[07:33.700 --> 07:45.060]  But they developed this for the Navy because you may or may not know if you read some early World War II history, US Navy torpedoes mostly missed their target.
[07:45.120 --> 07:48.560]  And even a large number of them that hit the target didn't explode.
[07:49.020 --> 07:51.840]  In any case, they offered this up for free to the Navy.
[07:51.840 --> 07:56.040]  The Navy did not take them up on it for a couple of decades.
[07:56.040 --> 08:01.300]  But in any case, today we see CDMA used in Bluetooth, mobile phones, and GPS.
[08:03.000 --> 08:07.800]  Anyway, I said before that for us to get a position, we need four satellites.
[08:07.800 --> 08:16.060]  So one of the problems with global nav systems is that all of the satellites have on board a cesium clock.
[08:16.060 --> 08:18.680]  Your GPS receiver does not.
[08:18.680 --> 08:20.800]  So there is some clock bias.
[08:20.800 --> 08:28.360]  So if you want to trilaterate with just three satellites, which is really all you need, you're going to have an error of about a mile.
[08:28.620 --> 08:41.020]  By reducing or eliminating the clock bias, which is why you need the fourth satellite to be able to correct that drift, you can get your error down to about three feet.
[08:41.480 --> 08:47.320]  Which is why we get some very, very precise measurements with GPS.
[08:48.780 --> 08:53.500]  So I mentioned GPS was now managed by U.S. Space Force.
[08:53.500 --> 08:57.440]  It started as a Navy and Air Force project in the late 60s.
[08:57.440 --> 09:02.740]  It was managed by the Air Force until the U.S. Space Force took it over, I believe, last year.
[09:03.360 --> 09:06.260]  The first satellite wasn't launched until 78.
[09:06.260 --> 09:11.700]  We didn't have operational GPS in the civilian community until sometime in the 90s.
[09:13.500 --> 09:17.580]  And originally, civilian GPS was degraded.
[09:17.580 --> 09:25.860]  And it was degraded in accuracy compared to military because what they would do is they would introduce timing errors.
[09:26.560 --> 09:31.020]  So remember back here, I said, if you don't correct your timing bias, you can have some big errors.
[09:31.020 --> 09:32.620]  Well, that's exactly what they did.
[09:32.620 --> 09:46.320]  In 2000, which still would have been the Clinton administration, there was an executive order that basically said this so-called selective availability is no longer going to be in civilian GPS.
[09:46.380 --> 09:50.460]  And even though the military wanted it, the president said no.
[09:50.740 --> 09:54.640]  But there are basically today still two services.
[09:54.640 --> 09:59.340]  There's the standard positioning service and there's precise positioning service for military.
[09:59.340 --> 10:00.960]  GPS is for civilians.
[10:02.160 --> 10:11.360]  We still have pretty good granularity, but selective availability could make the SPS service degrade.
[10:11.360 --> 10:20.160]  But since we have no selective availability anymore, the SPS and PPS pretty much are equal in terms of service.
[10:20.300 --> 10:26.960]  The difference between the two today is that PPS is encrypted and SPS is not.
[10:26.960 --> 10:29.220]  So we'll come back to that later on.
[10:29.220 --> 10:32.580]  Anyway, I already mentioned with GPS, we've got 31 satellites.
[10:32.580 --> 10:34.940]  We need 24 at 95% uptime.
[10:34.940 --> 10:39.260]  And each of the satellites has an orbital period of like 11 hours and 59 minutes.
[10:39.260 --> 10:41.640]  So we get about two orbits per day.
[10:43.320 --> 10:49.360]  Now, a GPS transmission, and this I'm really just giving you for a little bit of interest.
[10:49.920 --> 10:54.860]  A GPS satellite is transmitting what's called a navigation message.
[10:54.860 --> 10:59.820]  A navigation message has, as it says here, 37 and a half thousand bits.
[10:59.820 --> 11:02.340]  We're transmitting at 50 bits per second.
[11:02.380 --> 11:07.780]  It takes about 12 and a half minutes for the entire message to hit the ground receiver.
[11:08.060 --> 11:14.920]  Now, in the message, we have the date and time, GPS date and time.
[11:14.920 --> 11:24.180]  We have information about this particular transmitting satellite, namely its status and health and all that kind of stuff, as well as what's called ephemeral information.
[11:24.180 --> 11:31.240]  So the position and velocity of the satellite, because if I'm going to measure my distance from me to the satellite,
[11:31.240 --> 11:35.560]  I need to know exactly where the satellite is, oh, by the way, and how fast it's moving,
[11:35.560 --> 11:39.660]  because that's going to impact how quickly I'm seeing the signal.
[11:39.660 --> 11:41.460]  A little error, but it's in there.
[11:42.120 --> 11:44.460]  And then there's something called the almanac.
[11:44.460 --> 11:50.720]  The almanac has gross ephemeris data for all of the GPS satellites.
[11:50.920 --> 11:53.540]  Now, the usefulness for that is this.
[11:53.540 --> 12:00.360]  When you flip on your GPS receiver, it takes a couple seconds to figure out where you are.
[12:00.360 --> 12:07.820]  Well, that's because it took a couple seconds to find and interpret the data from the first satellite.
[12:07.920 --> 12:15.300]  But as it sees the almanac, it can figure out where all the other, at least visible, satellites are going to be.
[12:15.300 --> 12:22.460]  And it's getting enough information from enough satellites that it can quickly find other satellites to ping off of.
[12:22.460 --> 12:33.100]  This is also why sometimes you'll get a satellite, a fix that'll show you someplace, and a couple seconds later, all of a sudden, it changes.
[12:33.260 --> 12:39.240]  Because, again, you were sort of getting a gross idea of where you were, but there may have been some error.
[12:39.240 --> 12:44.540]  And then as it, you know, gets all of the communication, all the satellites, it gets in a slightly better position.
[12:45.780 --> 12:50.000]  Just for FYI, GLONASS does a similar thing.
[12:50.000 --> 12:54.380]  Their messages are only 7,500 bits, also at 50 bits per second.
[12:54.380 --> 12:57.520]  They carry pretty much the same kind of information.
[12:57.920 --> 13:02.100]  The data for the sending satellite is, you know, very specific.
[13:02.100 --> 13:05.320]  And then it has what it calls non-immediate data.
[13:05.320 --> 13:07.680]  Basically, that's the almanac for everything else.
[13:09.580 --> 13:11.520]  I've already mentioned the L band.
[13:12.420 --> 13:16.420]  So you're a techie group, so I'll say a couple of techie things to you.
[13:17.260 --> 13:24.540]  If I am a satellite that's transmitting, I'm going to be transmitting on whatever carrier frequency I have.
[13:24.540 --> 13:31.600]  So the L1 band, I actually didn't include the frequencies, I'm not sure why, but the L1 band is whatever frequency it is.
[13:31.600 --> 13:44.720]  So what I'm going to do is I'm going to modulate my transmission on that carrier frequency by combining the nav message and exclusively ORing it with my PRN code.
[13:44.720 --> 13:57.040]  Now, since the PRN code is unique to a satellite, I can extract the PRN code because the format for the nav message, I know that.
[13:57.040 --> 14:02.020]  So now it's merely a matter of, like I said, I can extract the PRN information.
[14:02.480 --> 14:05.860]  Now, I already mentioned before that there were the two services.
[14:05.860 --> 14:13.480]  There was the standard service, unencrypted for civilians, and the precision service for military that was encrypted.
[14:13.480 --> 14:18.240]  Well, one satellite is sending both signals at the same time.
[14:18.240 --> 14:28.180]  And what they do is they send the precise position service, the encrypted military service, 90 degrees out of phase with the civilian service.
[14:28.180 --> 14:31.720]  So again, all of that is happening on the same channel.
[14:32.700 --> 14:38.220]  And there are some additional things you need for the PPS, this precision code that I mentioned here.
[14:38.360 --> 14:42.840]  It just provides some better interference protection and spoofing resistance.
[14:42.840 --> 14:48.820]  I mean, it's very, very hard to spoof on military GPS because you have to spoof an encrypted message.
[14:48.820 --> 14:51.240]  And that is unlikely that you're going to do that.
[14:51.340 --> 14:53.440]  Anyway, there's also the L2 band.
[14:53.440 --> 14:57.760]  It was originally designed for military use only and encrypted applications.
[14:58.040 --> 15:01.900]  It's now being opened up for civilian use.
[15:01.900 --> 15:08.660]  They're also starting to use an L5 band, which is now going to be a third channel for civilian use on GPS.
[15:11.230 --> 15:14.430]  I don't think I need to tell you why GPS is important.
[15:15.050 --> 15:18.610]  Obviously, we need it for ships, all sorts of things on ships.
[15:18.610 --> 15:20.450]  We need it for aids navigation.
[15:20.650 --> 15:22.130]  We need it for ports.
[15:22.130 --> 15:24.230]  We need it for vessel traffic management.
[15:25.350 --> 15:30.230]  So, like I said, I'm not going to beat you up too much on the importance of GPS.
[15:31.850 --> 15:38.690]  I will observe, however, that when we talk about GPS spoofing, GPS jamming and all that kind of stuff,
[15:38.690 --> 15:46.750]  one of the things that doesn't get talked about, in my view, enough is the importance of GPS to timing.
[15:47.050 --> 15:52.410]  There are a lot of devices on Earth that get their timing from GPS satellites.
[15:52.950 --> 16:00.110]  For example, all digital telecommunications networks, including North American mobile phones and digital telecom carriers,
[16:00.110 --> 16:02.730]  are basically working off of the same clock.
[16:02.850 --> 16:05.470]  Power grids need timing.
[16:05.470 --> 16:08.470]  Some of the network time protocol servers on the Internet...
[16:09.090 --> 16:16.290]  Anyway, the point is that if I can disrupt timing signals coming from GPS,
[16:16.290 --> 16:22.130]  then that also is another attack vector on the entire GNSS system.
[16:22.130 --> 16:30.150]  Even though I might be getting what I believe are accurate records of where I am, I can still be screwing up the timing.
[16:30.330 --> 16:33.950]  The second bullet item actually has a lot here.
[16:33.950 --> 16:39.470]  A one nanosecond timing error can cause a one foot positioning error.
[16:39.930 --> 16:47.870]  Now, as a mere aside to this, many of you may know who Grace Murray Hopper was.
[16:49.130 --> 16:55.070]  Grace Murray Hopper, when she was still on active duty as an admiral in the late 1970s,
[16:55.070 --> 16:59.870]  I had the joy to see one of her talks. I got to drive her around Vermont for a day. That was really cool.
[16:59.870 --> 17:05.450]  She would always go to her lectures and say, you know, back in the day...
[17:05.450 --> 17:12.550]  Well, she didn't use that expression, but back in the 50s, programmers were always trying to save nanoseconds.
[17:12.550 --> 17:17.290]  One day I went to one of the engineers and I said, what is a nanosecond?
[17:17.630 --> 17:21.010]  And he looked at me, then he pulled out a piece of wire.
[17:21.010 --> 17:28.610]  He cut off 11.8 inches and handed me the wire and says, that's how far light travels in a nanosecond.
[17:28.610 --> 17:32.970]  So she would go to all of her lectures carrying around a whole crapload of nanoseconds.
[17:32.970 --> 17:35.150]  And she'd hand out, you know, pieces of wire to people.
[17:35.310 --> 17:39.390]  In any case, I remember that lecture from, you know, 40 years ago.
[17:39.650 --> 17:46.170]  I think it was only 40 years ago. In any case, but that tells a lot.
[17:46.170 --> 17:48.590]  A nanosecond puts me off by a foot.
[17:48.710 --> 17:55.530]  If I can cause there to be, you know, a hundred nanosecond error or a microsecond error,
[17:55.530 --> 17:59.210]  we can cause people to be, you know, way far off from where they want to be.
[17:59.630 --> 18:03.390]  In any case, GPS jamming has been around for a while.
[18:03.490 --> 18:09.070]  We started to hear about this publicly, really, probably about four or five years ago.
[18:09.070 --> 18:16.650]  There was one really famous case where, well, the Newark airport was testing its automatic landing system.
[18:16.750 --> 18:23.950]  They had a plane coming in on automatic landing and they lost their GPS signal.
[18:23.950 --> 18:31.950]  So it happened because there was a truck driver who was taking a break, didn't want his bosses to know where he was.
[18:31.950 --> 18:36.410]  So he bought a GPS jammer so that his truck wouldn't broadcast the GPS signal.
[18:36.650 --> 18:42.170]  Anyway, they eventually found him. But the fact is, GPS jamming is relatively easy to do.
[18:42.170 --> 18:46.910]  It is totally illegal, but you can still buy GPS jammers.
[18:49.430 --> 18:57.110]  And in any case, the advice from the Coast Guard, you know, the trust, but verify if you don't have your GPS data,
[18:57.110 --> 19:00.670]  know how to read your chart, use your binoculars, all that kind of stuff.
[19:01.410 --> 19:05.150]  But really what I want to talk about is GPS spoofing.
[19:05.590 --> 19:12.790]  The first real public story about GPS spoofing came out also about six years ago.
[19:13.310 --> 19:22.050]  A group from the University of Texas at Austin spoofed the GPS signals on a yacht called the White Rose of Drox in the Mediterranean Sea.
[19:22.810 --> 19:25.750]  And I'm going to show you a one and a half minute video.
[19:25.750 --> 19:32.790]  But basically what happened was using totally COTS equipment, they built themselves a GPS transmitter.
[19:32.790 --> 19:37.510]  They put the attacker on the boat. The boat crew knew that something was going to happen.
[19:37.510 --> 19:50.810]  They just didn't know what. And the attacker slowly started sending increasingly powerful GPS signals until it overwhelmed the boat's GPS receiver.
[19:50.810 --> 20:00.050]  And then they drove the boat off course. And then the crew dutifully put the boat back on course, which of course drove it off course.
[20:00.050 --> 20:05.050]  So with that teaser, let me give you a one minute and 37 second video.
[20:05.050 --> 20:08.510]  I'll try to make my volume loud enough so that you can hear it.
[20:16.680 --> 20:28.400]  Southern coast of Italy in June 2013, a 65 meter super yacht and her crew were part of an unprecedented experiment led by the University of Texas at Austin
[20:28.400 --> 20:35.700]  that successfully coerced the vessel off course using a custom made GPS spoofing device.
[20:35.700 --> 20:45.440]  30 miles from land, the crew's sense of the ship's location is based entirely on simple GPS signals broadcast from orbiting satellites.
[20:45.700 --> 20:54.500]  The student, serving as the attacker, commands the spoofing device to transmit faint, counterfeit signals towards the ship's antennas.
[20:54.500 --> 21:03.320]  The attacker increases the power of the spoofing signals until they are stronger than the satellite signals, gaining control of the ship's navigation system.
[21:03.320 --> 21:07.160]  The takeover is stealthy. No alarms are triggered.
[21:07.180 --> 21:12.700]  Once in control, the attacker initiates a three degree change to the ship's course.
[21:12.700 --> 21:17.660]  The ship's navigation system reports that the vessel is drifting slowly to the left.
[21:17.660 --> 21:21.860]  The false location is represented here by the ghost ship.
[21:21.860 --> 21:27.160]  The crew applies a course correction to bring the ghost ship back onto the intended path.
[21:27.160 --> 21:30.600]  In reality, the ship is now on the attacker's course.
[21:37.500 --> 21:39.380]  So, pretty cool, huh?
[21:40.360 --> 21:45.860]  So, armed with that, I'm going to show you some other case studies.
[21:46.560 --> 21:55.660]  I'm not going to tell you every case study that I know about, but what I'm trying to do is show you the escalation in GPS spoofing that's occurred over the years.
[21:55.860 --> 22:03.000]  So, in the University of Texas case, what they did is they spoofed one vessel to go off course.
[22:04.260 --> 22:09.020]  In 2017, there was a mass GPS spoofing event in the Black Sea.
[22:09.420 --> 22:13.400]  And what happened was, this was reported by the master of a vessel called the Atria.
[22:14.680 --> 22:19.600]  And Atria was parked off the coast of Russia.
[22:19.840 --> 22:27.020]  And all of a sudden, his GPS and AIS told him that he was in the middle of an airport.
[22:28.420 --> 22:45.300]  And, oh, by the way, his closest point of alarm notification on his AIS devices were going crazy, because he was now also being told by his AIS equipment that you're less than 100 meters from 19 other ships.
[22:45.680 --> 22:53.140]  Now, the captain's no fool. He goes out to his bridge, looks around, and says, yeah, I'm in the water, and there's no other ships in sight.
[22:53.140 --> 23:01.000]  But here is showing where he was. That's the ship's position on the bottom.
[23:01.120 --> 23:09.780]  And up above is showing the GPS coordinates of where, well, his GPS device was telling him where he was, again, in the middle of an airport.
[23:09.900 --> 23:20.340]  Now, one of the interesting things that's worth noting on this is on this GPS display, over on the right, you can see it's identifying all these satellites.
[23:20.340 --> 23:32.100]  And they're all coming in with the same power, which is unusual, because you've got six GPS satellites. They're not all the same distance from you. All the power shouldn't be the same.
[23:32.780 --> 23:45.300]  In any case, in 2018, we start to get a report, constant GPS issues in the eastern Med and some in the Red Sea.
[23:45.300 --> 23:58.440]  This continues into 2019. Throughout the Med, people are finding GPS issues. GPS is going out. Ships are finding themselves being told they're in entirely different locations.
[23:58.900 --> 24:08.380]  And so last year, about a year and a quarter ago, a place called the Center for Advanced Defense Studies put out a report called Above Us Only Stars.
[24:08.380 --> 24:18.860]  It is really, really an interesting report. And it basically talks about how Russia has been manipulating GNSS signals for at least the last four years.
[24:18.980 --> 24:31.800]  And they show a bunch of examples of vessels thinking that they're docked in the water and yet actually being, or the GPS telling them that they're at an airport.
[24:32.500 --> 24:46.660]  Usually it's a nearby airport. And it's been a real interesting, it's a very, very interesting read, because particularly now, if you read some of the more current literature, they're talking about, well, it's not just Russia.
[24:46.660 --> 24:54.040]  China is doing the same thing. North Korea is doing the same thing. And, you know, obviously, spoofing is a problem.
[24:54.820 --> 25:11.700]  Four years ago, spoofing was something that a nation state could pull off. Increasingly, GNSS spoofing technology is becoming such that a terrorist group can use this, criminal gangs can use this, loan operators can use this.
[25:11.760 --> 25:16.920]  So, I mean, this is a big issue right now for, you know, well, all the obvious reasons.
[25:17.700 --> 25:24.020]  So one case study that's worth mentioning, some of you may know about this, this was about a year ago.
[25:24.540 --> 25:30.740]  The tanker Stena Impero, it's a British ship, was seized by the Iranians.
[25:30.740 --> 25:43.040]  Now, the suspicion was that the Iranians seized Stena Impero because the Brits had seized an Iranian vessel in Gibraltar for violating some of the European Union sanctions.
[25:43.040 --> 25:49.940]  But in any case, when they went back and they looked at the AIS data, they saw, well, here was the path of Stena Impero.
[25:50.040 --> 25:54.380]  And it's gone through the Strait of Hormuz, staying right down the middle where ships are supposed to stay.
[25:54.380 --> 26:02.240]  And then all of a sudden it turns north and starts to go into Iranian waters where it was seized for violating their waters.
[26:02.920 --> 26:12.420]  And there has been a lot of, a lot of talk and a lot of ink spread about the fact that they believe that this was a GPS spoof.
[26:12.420 --> 26:15.100]  That caused the ship to go off course.
[26:16.080 --> 26:23.260]  But more interestingly is what happened, or at least started to be reported, last year in the port of Shanghai.
[26:23.620 --> 26:32.400]  So all of the spoofing so far has been directed either at a single vessel or at a group of vessels, placing them all in the same place.
[26:32.820 --> 26:40.660]  So what happened in the port of Shanghai, and it's really interesting to read this, we have this vessel, Manukai, and he's going up the river.
[26:41.440 --> 26:50.980]  And he's checking his ectus, and the AIS is reporting that there's a ship at a berth that's in the channel, making seven knots.
[26:51.020 --> 26:55.780]  Then all of a sudden it disappeared. And then all of a sudden it was back at the dock.
[26:55.780 --> 27:00.280]  Then it was now underway at a variety of different speeds, then it disappeared.
[27:00.280 --> 27:03.240]  And this pattern continued over and over.
[27:03.240 --> 27:11.980]  Now again, the master of the vessel is no fool, goes out to the bridge, looks at his binoculars and says, yeah, that other vessel has never left the dock.
[27:13.420 --> 27:20.280]  And so when some analysis was done of the spoofing events that had been going on in the port of Shanghai,
[27:20.280 --> 27:29.900]  what they found was that multiple vessels had been spoofed simultaneously to be in multiple locations.
[27:29.900 --> 27:36.620]  One vessel was in multiple locations, but all of the different ships were at different locations.
[27:36.680 --> 27:40.980]  And that was actually really hard to pull off.
[27:41.000 --> 27:47.200]  And then when they looked at the collection and intensity, they found that, as it says here, this crop circle,
[27:47.200 --> 27:57.000]  they found that the most reported spoofed location came out in these circles.
[27:57.000 --> 28:04.440]  And it hasn't been just Shanghai. Earlier or late last year, we started to hear about circle spoofing in Iran.
[28:04.440 --> 28:10.960]  This is Tehran, where some ships out at the harbor were all finding themselves downtown Tehran.
[28:11.440 --> 28:25.400]  And in one of the most interesting things that was recently reported was a whole bunch of circle spoofing in the area of Point Reyes near San Francisco and up the west coast of California.
[28:25.400 --> 28:29.720]  And you'll notice we have all these different circle spoofs here.
[28:29.940 --> 28:41.520]  And what's really interesting about this is in all the previous circle spoofing that the boats having their GPS spoofed in Shanghai were at least in Shanghai.
[28:41.760 --> 28:49.760]  The West Coast spoofing happened over a whole bunch of dates, but the ships were actually in a whole different hemisphere.
[28:49.760 --> 28:56.560]  And yet their GPS was putting them off the coast of California, off the West Coast of Canada, up near Alaska.
[28:57.300 --> 29:05.640]  Really, really interesting stuff. I say interesting in an intellectual way and an academic way.
[29:05.640 --> 29:09.320]  It's actually horrifyingly bad if you're on that vessel.
[29:11.360 --> 29:17.720]  Now, you can spoof GPS without actually having a GPS device.
[29:17.720 --> 29:30.420]  So, again, Eric Raymond has a really cool site where, if you go to it, I'm going to try to get over there.
[29:31.920 --> 29:43.640]  And this page called NMEA Revealed talks about, you know, all the different NMEA messages that you can associate with GPS.
[29:43.640 --> 29:49.280]  So I'm going to leave that there for now. But in any case, the point is, you know, you can get to all these things.
[29:49.340 --> 29:52.180]  At the bottom there, I have an example of a GPS message.
[29:53.280 --> 29:58.800]  The GP says that the talker, the device that you're communicating with, is a GPS device.
[29:58.960 --> 30:03.260]  The GLL is a particular type of message. This is the geographic position message.
[30:03.300 --> 30:06.940]  And then you can see all the other information that's here.
[30:06.940 --> 30:12.500]  I've got my latitude, 29 degrees, 11.585 minutes north.
[30:12.500 --> 30:17.860]  Here's my longitude. Here's the UTC time when this fix was taken.
[30:17.960 --> 30:22.860]  This thing here is a checksum. This message is a GPS fix.
[30:22.860 --> 30:25.760]  It's slightly, just has slightly more information.
[30:25.760 --> 30:31.620]  But the point is, it's pretty easy to download code that can generate these messages for you.
[30:31.620 --> 30:40.100]  In fact, it's easy enough... hang on, I'm not sure what just broke there.
[30:43.470 --> 30:46.610]  Okay, well, this appears to still be there.
[30:46.810 --> 30:52.070]  I'll get back to... hopefully you're all still seeing the PowerPoint.
[30:52.310 --> 30:56.770]  Anyway, you can create these messages relatively simply.
[30:57.710 --> 31:02.730]  And then there's all sorts of ways you can use something like a software-defined radio
[31:02.730 --> 31:08.110]  to poke this stuff out on the L1 frequency, which I happen to give you here.
[31:08.430 --> 31:12.950]  And again, a ton of open source tools available to do this.
[31:13.410 --> 31:19.630]  Now, there are a number of ways in which spoofing can be mitigated.
[31:19.710 --> 31:23.890]  Because I don't want to leave you with the impression that, oh, GPS is going to hell now.
[31:24.310 --> 31:28.290]  First of all, and this is starting to be built into a lot of receivers,
[31:28.290 --> 31:35.750]  is you can detect the signal distortion at the instant when the bogus signal overpowers the legitimate message.
[31:35.750 --> 31:41.110]  It turns out there are some blips if the spoofer doesn't do this right.
[31:41.110 --> 31:49.670]  The other thing is, when you're getting GPS signals from X number of satellites, they're coming from X directions.
[31:49.670 --> 31:52.490]  Most spoofing comes in from a single direction.
[31:52.490 --> 31:59.130]  Even if it comes in from multiple directions, you can see that all of a sudden I have a new signal
[31:59.130 --> 32:03.430]  and it's not coming from where I'm expecting it to have been coming from.
[32:03.710 --> 32:09.890]  The other thing is, the spoofed signals won't have the encrypted military signal on it.
[32:09.950 --> 32:15.110]  So one thing that people are starting to do is they're starting to correlate the encrypted signal
[32:15.110 --> 32:19.250]  to be sure that it is an authentic encrypted signal.
[32:19.250 --> 32:25.570]  Now, my receiver can't interpret the military signal, but at least I can tell if it's legit.
[32:26.530 --> 32:34.030]  And then, of course, more and more GNSS receivers on the big boats are monitoring multiple constellations.
[32:34.030 --> 32:39.950]  So if I think that GPS isn't working, I can switch over to, you know, GLONASS.
[32:39.950 --> 32:44.490]  Now, it turns out there is a report that just came out that said that U-2 pilots currently
[32:45.530 --> 32:50.510]  are reportedly using watches that have all four constellations.
[32:50.810 --> 32:56.670]  And the Raymarine GA-150 unit I just mentioned, because I found it as an example,
[32:56.670 --> 32:59.470]  has this built-in GPS GLONASS receiver.
[32:59.470 --> 33:02.370]  So, you know, it's using both constellations.
[33:04.270 --> 33:07.150]  Now, I really wanted to talk about AIS.
[33:07.150 --> 33:12.970]  So that gets me here. But AIS doesn't work without GPS,
[33:12.970 --> 33:18.450]  although there are ways that I can spoof AIS and I don't even have to worry about GPS.
[33:18.850 --> 33:24.230]  So I've already mentioned AIS is, or we've already talked about.
[33:24.230 --> 33:28.130]  Automatic ID system is a situational awareness system for ships.
[33:28.330 --> 33:35.630]  It provides a way that ships can identify who they are, in some cases, what their cargo is,
[33:35.630 --> 33:40.530]  what type of vessel they are, their position, speed, heading, destination, all that kind of stuff.
[33:40.630 --> 33:45.670]  It also means that maritime authorities can track the vessels that are coming within their areas of responsibility.
[33:45.790 --> 33:49.010]  Ports can track vessels coming into their port, etc., etc.
[33:50.970 --> 33:56.390]  Now, there are rules about who is required to carry AIS.
[33:56.630 --> 34:00.390]  And this page is trying to give you some idea of those.
[34:00.390 --> 34:06.490]  You can get the idea that AIS is required on big vessels, which probably doesn't come as a surprise to anybody.
[34:06.890 --> 34:11.590]  There is a warship exemption, which I'm not going to worry too much about.
[34:11.870 --> 34:20.170]  But in any case, the point is big ships and or ships with a lot of passengers all need to be broadcasting their AIS information.
[34:21.050 --> 34:26.070]  So here is just an example of an ECTIS display that you might see on a boat.
[34:26.990 --> 34:32.370]  And, you know, again, you've got all your targets here, at least all the targets that are broadcasting.
[34:33.330 --> 34:38.670]  And you can click on them and they're going to show you whatever information they're going to show you.
[34:40.330 --> 34:44.350]  I use a program called OpenCPN.
[34:44.870 --> 34:47.190]  If you were in my last talk, you saw that there.
[34:47.190 --> 34:50.910]  I'm going to actually get rid of this right now because I don't care.
[34:50.910 --> 34:56.430]  But right now I'm getting information off the area of Daytona Beach.
[34:56.450 --> 34:58.570]  So, for example, right here I have a vessel.
[34:58.570 --> 35:02.250]  Oh, the Ho Detroit. That is a new one for me.
[35:02.450 --> 35:05.910]  Anyway, another ship from Norway.
[35:07.730 --> 35:17.570]  And so right now I'm getting the fact that, OK, its destination is Jacksonville, which, of course, is north of us by about 90 miles from where they are.
[35:17.810 --> 35:20.070]  Yeah, probably about 100 or so miles from where they are.
[35:21.190 --> 35:25.990]  And their ETA is to get there tomorrow morning at 0700 UTC.
[35:26.470 --> 35:28.770]  Here's their speed, their course, their heading.
[35:28.770 --> 35:30.230]  They're going in a straight line.
[35:31.610 --> 35:33.510]  And here's the size of the vessel.
[35:33.510 --> 35:35.810]  So this is no small vessel.
[35:36.730 --> 35:39.110]  Over here, I've got another vessel as well.
[35:39.110 --> 35:40.910]  The Charles A. That one's new.
[35:41.230 --> 35:42.770]  At least I haven't seen it recently.
[35:42.970 --> 35:43.870]  You know, same kind of thing.
[35:43.870 --> 35:47.150]  Here we have a tug and it's actually towing a stern.
[35:47.150 --> 35:48.290]  We get that a lot.
[35:48.290 --> 35:51.450]  We have sea-going barges up here.
[35:51.450 --> 35:54.790]  So getting a tug, towing something, not unusual.
[35:55.050 --> 35:56.570]  This one's going to New York.
[35:56.770 --> 35:58.510]  Don't know where it came from.
[35:58.530 --> 36:01.710]  And it says it's going to get there on June 19th.
[36:03.590 --> 36:04.230]  Yeah, OK.
[36:04.230 --> 36:12.390]  So all the information that you see on AIS may not be 100% accurate because I don't think they're going to take another year to get where they're going.
[36:12.930 --> 36:15.350]  But in any case, you take what you can get.
[36:15.350 --> 36:17.990]  Here we're actually seeing it report its rate of turn.
[36:18.570 --> 36:23.230]  It's turning at least five degrees every 30 seconds to the port.
[36:24.390 --> 36:27.190]  So this can be useful information as well.
[36:27.830 --> 36:30.170]  In any case, I told you that.
[36:30.310 --> 36:34.250]  So I can tell you some other stuff that I'm going to show you here.
[36:37.430 --> 36:46.920]  So in any case, the AIS communication protocol largely uses something called self-organizing time division multiple access, which is a little bit of a mouthful.
[36:47.310 --> 36:56.630]  But basically, you're broadcasting in what you consider to be your time slot and you make reservations for other time slots.
[36:56.630 --> 37:01.430]  Every vessel that can hear you hears your time slot reservations.
[37:02.850 --> 37:11.610]  Usually you're only talking to other vessels that are within about a 10 or 15 mile range.
[37:12.610 --> 37:17.910]  I mentioned here on the page that there's a bunch of protocols from the National Maritime Electronics Association.
[37:18.430 --> 37:21.550]  0183 is the most common one that we're going to see over the year.
[37:22.350 --> 37:25.770]  This protocol has been around since about 1986.
[37:25.870 --> 37:30.130]  NMEA 2000 has been around for about 20 years.
[37:30.130 --> 37:32.790]  And the OneNet protocol is brand new.
[37:33.510 --> 37:38.170]  And I thought I had some additional information on that, but I don't right here.
[37:38.370 --> 37:46.250]  In any case, if you want to know more about AIS, you can also read these ITUR recommendations and you can download those online.
[37:48.510 --> 37:58.610]  Now, the folks at Trend Micro, a team led by a fellow named Marco Balduzzi, actually has published stuff.
[37:58.710 --> 38:03.770]  And he's spoken probably at DEF CONs or Black Hats about issues with AIS.
[38:03.770 --> 38:07.150]  And he's been talking about this for, you know, seven years.
[38:07.770 --> 38:14.590]  But there are four main vulnerabilities with the AIS protocol that are important that I want to address.
[38:14.590 --> 38:17.610]  One of them is lack of message integrity.
[38:17.690 --> 38:24.810]  And the lack of message integrity being that when you get a message, you don't actually know that that was the message that was sent by the other person.
[38:24.930 --> 38:39.910]  So it is theoretically possible, although very difficult, and I would argue maybe even unnecessary, but it is theoretically possible that some ship will transmit a message and another vessel could overwrite a portion of the message.
[38:39.910 --> 38:47.270]  But in any case, there's no way to prove that the message you receive is the message that was transmitted.
[38:47.510 --> 38:49.810]  There's also no timing integrity.
[38:49.870 --> 38:53.830]  So when you receive a message, you're receiving it obviously in real time.
[38:53.830 --> 38:56.450]  You don't actually know when the message was sent.
[38:56.830 --> 39:06.970]  There is no authentication, meaning that when you get a message purporting to come from a particular vessel, you have no way of knowing that it really came from that vessel.
[39:06.970 --> 39:10.670]  And there's also no validity check.
[39:10.670 --> 39:17.810]  Namely, if a vessel says, I am located at the following lat and long, there's no way to prove that they're really at the lat and long.
[39:18.330 --> 39:24.170]  Now, if we compromise AIS communications, I can do all sorts of, you know, weird things.
[39:24.170 --> 39:28.550]  I can create fake vessels that now other ships are going to respond to.
[39:28.550 --> 39:40.510]  I can trigger false SOSs, search and rescue messages, collision alerts, closest point of approach alerts, bogus weather information that might cause you to deviate when you don't have to deviate.
[39:41.090 --> 39:42.930]  Why would I want to do that?
[39:42.930 --> 39:44.390]  Well, I'm a pirate.
[39:44.470 --> 39:47.070]  I can only make it 30 miles offshore.
[39:47.070 --> 39:48.790]  You're 50 miles offshore.
[39:48.790 --> 39:54.230]  If I can somehow get you to deviate 20 miles closer to the coast, you're now within my range.
[39:54.230 --> 39:56.550]  So reasons such as that.
[39:56.550 --> 40:05.690]  So anyway, so when you get the presentation, you'll see I mentioned some, you know, I mentioned these again with a few more verbs.
[40:06.050 --> 40:08.850]  But again, there's other things you can do.
[40:08.850 --> 40:12.470]  By the way, you can create vessels that aren't real, ghost vessels.
[40:12.770 --> 40:16.490]  You can also do something called a frequency hopping attack.
[40:16.490 --> 40:29.830]  You can actually launch a denial of service attack on other vessels and basically either usurp all of the frequency or you can cause them to just transmit in areas where nobody else is listening.
[40:33.140 --> 40:37.100]  This is also a picture that was a little bit inspired by the Balduzzi group.
[40:37.100 --> 40:48.860]  Just showing all the different vessels and their communication of AIS messages and ways in which you can or attack vectors that are possible.
[40:48.860 --> 40:52.380]  There are a lot of lines here in green.
[40:52.460 --> 40:55.180]  The green are RF based threats.
[40:55.180 --> 41:00.160]  So there's a lot of ways that if you can get yourself on the radio network, which is not hard to do.
[41:00.160 --> 41:08.260]  You can send out bogus information that is going to impact vessel traffic management, vessels at sea.
[41:08.260 --> 41:11.940]  And then, of course, there's other ways of doing it with just straight out software.
[41:13.780 --> 41:30.260]  Now, AIS is used to transmit information, not only to the vessels in the local area, but there are a lot of services that gather this information, aggregate it and then post it online.
[41:30.260 --> 41:44.100]  And so I just want to observe that the International Maritime Organization recognized 15 years ago that this information leakage potentially impacts safety at sea.
[41:44.840 --> 41:47.920]  I think they were right 15 years ago.
[41:47.920 --> 41:52.180]  I think today that that horse has left the barn.
[41:52.300 --> 41:55.300]  So it's something that we need to deal with.
[41:55.300 --> 41:58.020]  I don't think it's something that we can stop doing.
[41:58.020 --> 42:02.300]  But as an example, this is MarineTraffic.com.
[42:02.540 --> 42:06.200]  It's one of many aggregator sites.
[42:06.200 --> 42:11.520]  And you can sort of get an idea right here of, you know, all these vessels that are floating around the world right now.
[42:11.520 --> 42:21.360]  There's something on the order of 75,000 merchant cargo ships going around the world at any given point in time.
[42:21.920 --> 42:25.060]  They're all required to be broadcasting with AIS.
[42:26.440 --> 42:28.260]  This is the White Rose of Drax.
[42:28.260 --> 42:34.260]  You may remember White Rose was the vessel that the University of Texas at Austin people used.
[42:34.640 --> 42:37.740]  On the date where I actually did this, they were in Monaco.
[42:38.520 --> 42:42.040]  Oh, by the way, there's a picture of the boat.
[42:44.520 --> 42:45.940]  Here's Find Ship.
[42:46.840 --> 42:53.040]  I took this screenshot, you know, about, well, a little over two, probably about two and a half years ago.
[42:53.800 --> 42:55.920]  Atria happened to be in Barcelona.
[42:56.620 --> 42:59.700]  You can do real-time tracking of vessels.
[42:59.700 --> 43:03.720]  These are vessels that are off of Titusville and Port Canaveral.
[43:03.900 --> 43:12.280]  And so not only am I getting the vessel and information about the vessel, but I can see the track of the vessel, where it had been coming from.
[43:12.280 --> 43:13.860]  This is from Vessel Finder.
[43:14.940 --> 43:19.980]  Now, I talked in my last talk, and so I'll merely just mention it again.
[43:19.980 --> 43:23.400]  It's easy enough to build your own AIS receiver.
[43:23.580 --> 43:26.000]  There's a variety of tools to help you do that.
[43:26.000 --> 43:32.160]  I use the Raspberry Pi and Daisy Hat and bring in information that way.
[43:33.540 --> 43:39.480]  And then what you can do is you can display this information using any number of open source software.
[43:39.860 --> 43:41.660]  I happen to use OpenCPN.
[43:41.660 --> 43:46.380]  It is probably one of the more commonly used, but there's other software that can display this as well.
[43:46.380 --> 43:49.400]  But really where I want to go is this.
[43:49.740 --> 43:53.920]  This is what an AIS message looks like.
[43:53.920 --> 44:00.420]  This is a particular type of AIS message that is being transmitted from another vessel.
[44:00.740 --> 44:05.220]  And I'm going to break this down just real quickly for you.
[44:05.680 --> 44:15.320]  So the exclamation point at the beginning says this is an NMEA 0183 message that has special encapsulation.
[44:15.320 --> 44:20.380]  The AI says this is an AIS message.
[44:21.260 --> 44:26.140]  The VDN is a VHF data link message.
[44:26.140 --> 44:31.500]  So this is a message coming in from an AIS device on another vessel.
[44:31.500 --> 44:33.080]  It's not your message going out.
[44:33.080 --> 44:35.020]  Somebody else is coming in.
[44:36.210 --> 44:43.640]  So AIS messages are transmitted as a set of one or more sentences.
[44:43.640 --> 44:50.100]  So what this is telling me is that there are two sentences comprising this message.
[44:50.100 --> 44:52.380]  This is sentence number one.
[44:52.380 --> 44:56.080]  And this sentence has serial number zero.
[44:56.080 --> 44:59.260]  I need a serial number so that I can reassemble, right?
[44:59.380 --> 45:02.820]  Then I have A telling me this is being broadcast on channel A.
[45:02.820 --> 45:10.960]  And then the rest of this gobbledygook up until I get to the comma is the encapsulated AIS message.
[45:10.960 --> 45:19.380]  The zero here tells me that I'm going to have to add no bits to get six bit alignment.
[45:19.380 --> 45:21.760]  And then the 7B is the checksum.
[45:22.200 --> 45:27.860]  The second line says, well, two sentences or two sentences in the message.
[45:27.860 --> 45:32.700]  This is sentence number two of serial number zero on channel A.
[45:32.700 --> 45:33.880]  Here's the message.
[45:33.880 --> 45:35.580]  We need two padding bits.
[45:35.580 --> 45:37.500]  Here's the checksum of the second message.
[45:37.500 --> 45:39.160]  Anyway, this is a message type five.
[45:39.160 --> 45:41.740]  It's called the ship static and voyage related data.
[45:41.840 --> 45:44.060]  And here's the information that we get.
[45:44.360 --> 45:45.780]  So here's the name of the ship.
[45:45.780 --> 45:47.000]  Here's the type of cargo.
[45:47.020 --> 45:48.300]  Here's the ship dimensions.
[45:48.620 --> 45:51.940]  This is actually telling me where is your AIS antenna.
[45:53.380 --> 46:00.820]  So this is how far from the bow, how far from the stern, how far from the port side, how far from the starboard side.
[46:00.820 --> 46:02.040]  Anyway, there's all this information.
[46:02.040 --> 46:04.320]  Oh, and by the way, where it's going and what it drops.
[46:06.700 --> 46:10.640]  Here is some of the code that I've written, an AIS parser.
[46:10.640 --> 46:16.940]  This is taking a different AIS message, but it's parsed it out same way and giving you a URL.
[46:16.940 --> 46:21.780]  So when you click on the latitude and longitude, up comes a map and shows you where this thing is.
[46:23.840 --> 46:27.080]  So I have a couple of tools that are on my website.
[46:29.420 --> 46:31.700]  One is called timestamp data.
[46:31.700 --> 46:33.660]  It's a Perl program.
[46:33.660 --> 46:52.400]  And what timestamp data does is if you point timestamp data at a TCP or UDP socket, IP address and a port number, it will take AIS data from there and put a timestamp on it and collect it into a file.
[46:52.400 --> 47:03.800]  You can then take that file and use a program called play AIS, also a Perl program, and it will take the AIS data and put it out to a TCP UDP socket.
[47:03.900 --> 47:06.980]  So I'm telling you that so I can tell you this.
[47:06.980 --> 47:08.760]  I'm not going to show you a video.
[47:09.040 --> 47:11.820]  What I'm going to do is this.
[47:12.160 --> 47:14.660]  And you guys will get to see this live.
[47:15.420 --> 47:19.140]  So this is Daytona Beach, more or less.
[47:20.100 --> 47:23.560]  Down here where this black boat is, it says Middle Island.
[47:23.620 --> 47:26.540]  This is Ponce de Leon Inlet.
[47:27.720 --> 47:29.900]  So we're on the east coast of the Atlantic.
[47:29.900 --> 47:31.760]  And you see we got all these boats here.
[47:31.820 --> 47:35.520]  I need to go around to my terminal window.
[47:38.400 --> 47:41.520]  I need to get to the right window here.
[47:41.520 --> 47:43.820]  That's timestamp. I don't want timestamp.
[47:45.920 --> 47:48.040]  Okay, so we got play AIS here.
[47:48.040 --> 47:52.920]  You would have thought that I would have set this up already, but I was playing around with it so much.
[47:52.920 --> 47:58.520]  What I'm going to do is I'm going to run a program or run a file.
[47:59.680 --> 48:02.100]  And actually, I'll let you see what the file says.
[48:02.100 --> 48:09.140]  All this is doing is it's play AIS, and it is going to replay a whole bunch of data.
[48:10.400 --> 48:14.840]  And if I show you what this data looks like...
[48:21.290 --> 48:25.430]  I mean, all this is is a whole crapload of AIS data.
[48:25.690 --> 48:31.950]  Now, really, what I want to do here is actually play this for you.
[48:33.410 --> 48:33.890]  So...
[48:35.710 --> 48:38.610]  Rats, I was right there, too. Here we are.
[48:38.610 --> 48:42.610]  Okay, so we're actually going to run this program or run this shell script.
[48:44.850 --> 48:48.030]  Now, I'm going to go back over here to OpenCPN.
[48:48.070 --> 48:53.730]  And what's going to happen is right around here somewhere, watch closely, a vessel will appear.
[48:54.210 --> 48:56.370]  It will be called the CFOX.
[48:58.410 --> 49:00.370]  Yeah, live demos. Don't you love them?
[49:00.370 --> 49:03.490]  Okay, so here is the CFOX.
[49:05.030 --> 49:08.090]  And that's what the information we have on the CFOX.
[49:08.430 --> 49:14.210]  Now, the CFOX is a real ship. So is this ship that also magically appeared, Jupiter.
[49:14.430 --> 49:16.150]  They're also a real ship.
[49:16.590 --> 49:20.530]  But the difference is... I'm going to go back here for a second.
[49:20.810 --> 49:23.870]  See this data that's going out? Well, let's ignore that.
[49:24.050 --> 49:27.570]  Let's just look back up here. You see the date of the data?
[49:27.570 --> 49:34.370]  2019-7-23. Those vessels are real, but they were there a year ago.
[49:35.150 --> 49:38.670]  So this is a classic replay attack.
[49:38.670 --> 49:50.630]  If you're a vessel relying on your AIS, and all of a sudden you see a couple of ships appear that weren't there before, well, you're going to take certain action.
[49:50.770 --> 49:53.310]  Here's a ship called the Voyager. It's a sailboat.
[49:53.310 --> 49:59.690]  And to be honest with you, I don't remember whether that was there before, so I don't know if that's a real ship or a stupid ship.
[49:59.950 --> 50:04.890]  Now, this is merely a demonstration of capability. I'm not actually transmitting this on the radio.
[50:04.890 --> 50:07.710]  I'm transmitting this from one end of my computer to the other.
[50:07.850 --> 50:16.930]  And one of the criticisms that I have sometimes gotten when I showed this demo is, well, you know, if you had radar, you would know that that's not a real ship.
[50:16.930 --> 50:24.430]  And that may be true, but I've been on plenty of boats that don't have radar. They do have AIS.
[50:24.470 --> 50:26.290]  But I'm going to show you this instead.
[50:26.490 --> 50:28.130]  This is Ponce Inlet.
[50:28.230 --> 50:32.470]  Now, for those of you who are mariners, you understand the reds and the greens and all that kind of stuff.
[50:32.470 --> 50:37.030]  You also understand the difference between the dark blue and light blue.
[50:37.030 --> 50:42.230]  And in this case, the dark blue is shallow water and the light blue is deep water.
[50:42.330 --> 50:45.470]  So Ponce Inlet is dredged up here at the north side.
[50:45.470 --> 50:49.630]  And you'll notice if you look at the buoys, it's very clear.
[50:49.630 --> 50:53.710]  Here's your number two buoy, and they want you coming in on the north side.
[50:54.170 --> 50:58.570]  So I have something else I want to show you.
[50:59.370 --> 51:01.350]  And let's see.
[51:03.030 --> 51:04.430]  Well, here we go.
[51:04.430 --> 51:07.950]  Let me see if I can just remember the name without embarrassing myself.
[51:12.480 --> 51:18.640]  So if we go back here, note we have a bunch of things just appearing.
[51:19.200 --> 51:23.460]  These are virtual ATONs, virtual aids to navigation.
[51:23.860 --> 51:32.780]  This first virtual ATON, which I have dutifully named PI for Ponce Inlet, is telling me that this is a preferred channel marker.
[51:32.800 --> 51:40.740]  Not only is it a preferred channel marker, but it's telling me that the preferred channel keeps this marker on my starboard side.
[51:40.740 --> 51:43.600]  Meaning I want to come in this way.
[51:43.960 --> 51:52.220]  And now if you look at the triangles and the squares, it's telling me that my preferred channel brings me in right here, right into the shallow zone.
[51:52.580 --> 52:03.800]  If I do a target query on this, I'm going to see that this has an appropriate ID that tells me that the Coast Guard put this out there.
[52:03.800 --> 52:11.660]  Because the Coast Guard is the only authority in the United States that has... well, it's the only organization that has the authority to put out virtual ATONs.
[52:11.660 --> 52:15.040]  But there's no authentication in AIS.
[52:15.400 --> 52:19.980]  So my observation is here, all the radar in the world isn't going to help you now.
[52:20.240 --> 52:31.080]  Because if you don't know this inlet, you don't have a chart, and you're not talking to anybody, and you're relying on your AIS, you just saw that this is the preferred way in.
[52:31.780 --> 52:35.660]  And maybe somebody knows something that your chart doesn't.
[52:35.900 --> 52:39.660]  And you'll actually run out of water somewhere around here.
[52:41.260 --> 52:46.800]  That is my... I don't even know where anything is anymore.
[52:46.800 --> 52:52.160]  That is my demo of spoofing.
[52:52.280 --> 52:56.360]  So a couple things I want to say before I go over to Q&A.
[52:56.360 --> 53:04.800]  Here's a picture of my wife herding fish, because I like to give that as an analogy of these problems.
[53:05.280 --> 53:07.560]  Some of the stuff I've talked about is very, very real.
[53:07.560 --> 53:10.280]  And you can pick up the newspaper and read about it all the time.
[53:10.520 --> 53:16.360]  Some of the problems, you know, some people pass off and say, well, that's theoretically possible, but...
[53:17.100 --> 53:23.000]  And, you know, there's a whole bunch of people in the community who have been making the, well, that's theoretical.
[53:23.000 --> 53:25.180]  They've been making it practical for decades.
[53:25.180 --> 53:27.740]  I like this quote by Arthur C. Clarke.
[53:28.340 --> 53:33.420]  If an elderly but distinguished scientist says that something is possible, he's most certainly right.
[53:33.420 --> 53:36.300]  If he says it's impossible, he's very probably wrong.
[53:37.200 --> 53:42.300]  There's a lot of things that I can think of that are bad things that I could do.
[53:42.300 --> 53:48.400]  I may not be able to do them today, but they might... the technology might catch up with me in the next couple of years.
[53:48.400 --> 53:55.040]  And the last thing I want to give is a quick analogy and story, and then I'll be mostly done.
[53:55.320 --> 54:00.160]  For those of you who are mariners, you recognize this lighting configuration.
[54:00.540 --> 54:02.280]  Roll 27F.
[54:02.380 --> 54:06.580]  This is a minesweeper engaged in minesweeping activity.
[54:06.720 --> 54:14.960]  By the way, based on the red, white and green lights, it's aimed directly at you, which means you're already in the minefield.
[54:14.960 --> 54:19.100]  But the analogy that I really want to use is this.
[54:19.320 --> 54:23.100]  If you're in a minefield, what's your problem?
[54:23.300 --> 54:33.180]  Is your problem the threat of the mine, or is it the vulnerability of your ship to the explosion?
[54:33.580 --> 54:38.760]  And I ask that because, again, I'm going to give you a story out of early World War II history.
[54:38.780 --> 54:43.200]  During the Battle of the Atlantic, the Germans came up with the idea of a magnetic mine.
[54:43.200 --> 54:46.400]  So they planted magnetic mines in all sorts of places.
[54:46.400 --> 54:57.520]  The way a magnetic mine got tripped was because when a battleship or any metal-hulled ship went over it, it disrupted the Earth's magnetic field sufficiently so that the mine could deploy.
[54:57.740 --> 54:59.760]  The British figured that out.
[54:59.760 --> 55:03.260]  They then figured out a way to degauss all of their ships.
[55:03.260 --> 55:07.260]  And now they could go over magnetic mines and there was no problem.
[55:07.260 --> 55:13.880]  The point is, what they did was fix the vulnerability of the ship.
[55:14.120 --> 55:17.320]  That obviated the threat of the mine.
[55:17.580 --> 55:21.920]  So when we're talking about threats and vulnerabilities, we need to know which to go after.
[55:21.920 --> 55:24.360]  Basically, we can't stop all the threats.
[55:24.360 --> 55:26.720]  We can find and fix our vulnerabilities.
[55:27.280 --> 55:29.600]  In any case, here's some contact information.
[55:29.600 --> 55:31.260]  I'll leave that up for now.
[55:31.260 --> 55:34.200]  I'm going to go back to the beginning here.
[55:34.400 --> 55:40.060]  And we have some time for Q&A if people have some Qs and As.
[55:45.410 --> 55:47.550]  There are questions from Twitch.
[55:48.170 --> 55:49.150]  Okay.
[55:49.590 --> 55:53.310]  I'm trying to find out where I can get my...
[55:53.310 --> 55:55.410]  Oh, I think I've gone too far.
[55:58.860 --> 56:00.840]  I can get questions from AIS techs.
[56:00.840 --> 56:06.320]  If there are questions, I'm not sure the best way to get them to me, but feel free to get them to me.
[56:12.290 --> 56:13.370]  Let's see.
[56:16.220 --> 56:18.680]  No, let's go back up here and see what we got.
[56:26.360 --> 56:27.720]  Transmitting fake packets?
[56:28.000 --> 56:31.280]  Yeah, you can actually transmit fake packets.
[56:31.280 --> 56:35.560]  And I'm not 100% sure what devices will do.
[56:35.560 --> 56:42.540]  If you're a legitimate ship, you send out your packet, it displays on the AIS, and then all of a sudden I send out a fake packet.
[56:42.720 --> 56:44.360]  I'm sorry, you send out the real packet.
[56:44.360 --> 56:46.320]  I followed up with a fake packet.
[56:46.500 --> 56:52.240]  My suspicion is that other vessels are going to display the latest information they got.
[56:55.630 --> 56:57.550]  You can, in fact, flood.
[56:57.550 --> 57:00.070]  You can flood the system.
[57:00.170 --> 57:02.870]  You can launch a denial of service on AIS.
[57:02.870 --> 57:13.270]  You can cause some ships to go blind or get blinded and only be transmitting to effectively you as the attacker can see them.
[57:17.110 --> 57:23.910]  AIS is mostly TDMA, but it's not strictly TDMA because it's self-organizing.
[57:28.970 --> 57:30.570]  So let's see.
[57:30.570 --> 57:33.270]  I'm getting a message over here on Slack.
[57:33.270 --> 57:35.670]  What does the shadow have for me?
[57:36.870 --> 57:38.610]  Oh, nothing over there.
[57:39.250 --> 57:41.530]  Got a whole bunch of things over here.
[57:47.270 --> 57:51.110]  Ah, a question from Twitch.
[57:51.110 --> 57:53.630]  Did it figure out how the crop circle spoofing worked?
[57:53.830 --> 58:01.390]  You know, I have not read anything that describes how the crop circle is working.
[58:01.390 --> 58:08.250]  In fact, I have read a number of things where people at first were saying, we have no clue how they did this.
[58:10.670 --> 58:13.770]  How realistic is the concern that AIS spoofing...
[58:13.770 --> 58:14.950]  Oh, how do I get rid of this?
[58:14.950 --> 58:15.830]  Oh, here we go.
[58:15.830 --> 58:17.550]  Can lead to ship collisions.
[58:17.630 --> 58:20.590]  Okay, so how realistic is the concern?
[58:20.590 --> 58:32.530]  I don't know that it can lead to collisions per se, other than altering the information so that other vessels can't see that you're there.
[58:32.530 --> 58:42.650]  So, for example, you know, the collisions with the U.S. Navy vessels, particularly the John McCain a couple years ago, were probably not due to anything like this.
[58:42.650 --> 58:44.290]  And they did investigate it.
[58:44.290 --> 59:01.530]  But if you don't have an appropriate watch and it's nighttime and you don't have good situational awareness, I can probably devise scenarios where ships get way closer to each other than they want to be.
[59:04.230 --> 59:11.830]  There's a question here about incidents of spoofing on the space and control segments, not of which I am aware.
[59:15.630 --> 59:18.170]  And readout's got a couple things.
[59:18.990 --> 59:21.950]  Where did I get the vessel name for the Shanghai incident?
[59:23.010 --> 59:31.410]  Well, certainly not from a secret document because I don't have access to those and I would be very careful about sharing it.
[59:31.410 --> 59:34.690]  I got it. I must have gotten it from the Coast Guard.
[59:34.690 --> 59:36.050]  So hang on two seconds.
[59:39.170 --> 59:41.270]  That's Estella Imparo, right?
[59:41.270 --> 59:47.350]  Yeah, I got something from U.S. Coast Guard NABCEN back.
[59:47.350 --> 59:49.150]  Well, that's when it got reported.
[59:49.290 --> 59:57.570]  So I guess I'm not 100% sure right now where I got it, but I know that it was out there somewhere.
[01:00:10.680 --> 01:00:12.080]  Oh, dear.
[01:00:12.480 --> 01:00:14.360]  I've now lost myself.
[01:00:20.770 --> 01:00:22.770]  Oh, there was something I just missed there.
[01:00:23.730 --> 01:00:25.890]  Something about the Fitzgerald.
[01:00:28.530 --> 01:00:30.790]  Let me get back up here.
[01:00:39.470 --> 01:00:44.870]  I heard some stuff about the Fitzgerald being subjected to any number of things.
[01:00:45.370 --> 01:00:55.950]  I thought the latest that I'd read was that they said, sorry, it was operator error, because a lot of warships turn off their AIS.
[01:00:55.950 --> 01:00:59.510]  Now, when they turn it off, they're still receiving, they're just not transmitting.
[01:01:00.230 --> 01:01:02.410]  And I've actually been on a couple ships.
[01:01:02.410 --> 01:01:03.730]  It's sort of funny.
[01:01:04.130 --> 01:01:07.570]  I was on one boat where they could turn off their AIS.
[01:01:07.570 --> 01:01:09.190]  They had a toggle switch.
[01:01:09.310 --> 01:01:15.370]  Like, you know, a toggle switch like you could go to Lowe's and get a two-position toggle switch.
[01:01:15.370 --> 01:01:19.090]  And then they had like a plastic label that said on-off.
[01:01:19.090 --> 01:01:21.550]  And that was their AIS switch.
[01:01:21.550 --> 01:01:23.070]  They could turn it on and off.
[01:01:25.310 --> 01:01:29.050]  But I don't know the detail of the Fitzgerald.
[01:01:29.050 --> 01:01:31.790]  I had not read that it was spoofed.
[01:01:31.790 --> 01:01:35.830]  But if anybody has any detail about that you'd like to forward to me, I would love to see it.
[01:02:01.820 --> 01:02:03.240]  Thank you very much.
[01:02:04.780 --> 01:02:05.940]  My pleasure.
[01:02:07.560 --> 01:02:11.700]  So, listen, I'm going to stay on for a few more minutes.
[01:02:11.760 --> 01:02:14.540]  I know that I'm at the end of my witching hour.
[01:02:14.720 --> 01:02:17.260]  If you've got more questions, obviously, feel free.
[01:02:17.340 --> 01:02:19.820]  I will be taking the slides.
[01:02:20.000 --> 01:02:25.380]  And within the next 10 or 15 minutes, I'll be making a PDF and I'll upload them.
[01:02:25.380 --> 01:02:29.320]  Or I'll send them to the people who will upload them to places.
[01:02:30.160 --> 01:02:33.940]  Obviously, anybody is welcome to contact me at any point about any of this.
[01:02:34.440 --> 01:02:36.580]  I should give a little bit of an advertisement.
[01:02:37.100 --> 01:02:49.560]  Some of the research that I've been doing for the last year and a half or so that caused me to build some of these tools was I came up with a demonstration and capability system to build a protected AIS, which I had a lot of fun doing.
[01:02:50.120 --> 01:02:56.880]  I'm going to talk, I'll be talking about that tomorrow at, I think, I think is it four o'clock Eastern time?
[01:02:56.880 --> 01:03:08.780]  So one o'clock Pacific time. And if anybody wants to sit in on that and, you know, I'll talk a little bit more about what AIS looks like and how I built in the protected code and, you know, that kind of stuff.
[01:03:09.600 --> 01:03:11.940]  And I think that's that's it for now.
[01:03:11.940 --> 01:03:16.160]  Otherwise, but like I said, I'll hang here for a couple of minutes before they kick me out.
[01:03:16.160 --> 01:03:17.280]  But thank you all very much.
